Vulnerability Disclosure Policy

Last updated on 1/6/2006

Information regarding software vulnerabilities travel very fast on the Internet. Though Civil Engines is a very small software and service provider, we are nonetheless adopting a full disclosure policy for any security vulnerabilities discovered in the products and services we provides. We hope that full disclosure of any security issues will help our users find quick and easy workarounds to their immediate security concerns.

When we discover a security vulnerability in any of our software or services, we will inform (within 5 working days) our users and beta testers of the potential security risks of particular version of the software and/or service they are using. In those 5 working days we will try to assess the extent of the risk of the vulnerability and try to come up with a temporary workaround for our users. We will then publicly issue a security warning and provide instructions regarding what can be done to mitigate those risks on our website. We will include a case number, a short description of the vulnerability and its severity and a workaround for all security warning issued through our website. In the interest of keeping our users safe, we will not release any code or additional information that can be used to demonstrate the vulnerability (obviously). We may disclose additional information via service bulletins on our website or in the release notes of a new version of a software that resolves the security vulnerability.

We ask that individuals and organizations that may find, encounter or suspect a security vulnerability within our products or service to contact us directly at “security at civilnetizen dot com” about the vulnerability and provide us with a 24-hour grace period before publicly disclosing their findings. That grace period should provide us with sufficient time to assess and respond to the finding with the appropriate time estimate for delivering a workaround. We also ask that indivduals and organizations refrain from posting exploit code or other information that may put our users at risk. If an individual or organization really feels that it is important to disclose such information we ask that they refrain from action at least until we come up with a workaround to the vulnerability.

Any Mozilla security vulnerabilities discovered through our integration and use of Mozilla software will be addressed in accordance to the guidelines set forth by the Mozilla Foundation. We will forward any findings to the appropriate Mozilla component module owner and work with them in terms of handling disclosure of any findings and verifying any fixes and workarounds.

We hope that this policy serves as a good starting point for discussing any issues that may arise over security vulnerabilities and its disclosure. If you have any questions, please contact us directly via email at “security at civilnetizen dot com” or via postal mail:

Paolo de Dios
Civil Engines Research
888c 8th Avenue, #516
New York, NY 10019